From b26c705a0df16e70d12f044d1c263f700e576969 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 10 Oct 2019 09:18:47 +0100
Subject: [PATCH] wiki: Implement deleting files

Fixes: #12124
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 Makefile.am                            |  1 +
 src/backend/wiki.py                    |  7 +++---
 src/templates/wiki/confirm-delete.html | 25 +++++++++++++++++++
 src/templates/wiki/files/detail.html   |  6 +++++
 src/web/__init__.py                    |  1 +
 src/web/wiki.py                        | 33 ++++++++++++++++++++++++++
 6 files changed, 69 insertions(+), 4 deletions(-)
 create mode 100644 src/templates/wiki/confirm-delete.html
diff --git a/Makefile.am b/Makefile.am
index 4d645ccf..ea654525 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -276,6 +276,7 @@ templates_staticdir = $(templatesdir)/static
 templates_wiki_DATA = \
 	src/templates/wiki/404.html \
 	src/templates/wiki/base.html \
+	src/templates/wiki/confirm-delete.html \
 	src/templates/wiki/diff.html \
 	src/templates/wiki/edit.html \
 	src/templates/wiki/page.html \
diff --git a/src/backend/wiki.py b/src/backend/wiki.py
index 36d19e7c..1747429c 100644
--- a/src/backend/wiki.py
+++ b/src/backend/wiki.py
@@ -485,10 +485,9 @@ class File(misc.Object):
 	def created_at(self):
 		return self.data.created_at
 
-	def delete(self, author):
-		# XXX handle author
-		self.db.execute("UPDATE wiki_files SET deleted_at = NOW() \
-			WHERE id = %s", self.id)
+	def delete(self, author=None):
+		self.db.execute("UPDATE wiki_files SET deleted_at = NOW(), deleted_by = %s \
+			WHERE id = %s", author.uid if author else None, self.id)
 
 	@property
 	def deleted_at(self):
diff --git a/src/templates/wiki/confirm-delete.html b/src/templates/wiki/confirm-delete.html
new file mode 100644
index 00000000..031b9176
--- /dev/null
+++ b/src/templates/wiki/confirm-delete.html
@@ -0,0 +1,25 @@
+{% extends "base.html" %}
+
+{% block title %}{{ _("Delete %s") % file.filename }}{% end block %}
+
+{% block content %}
+	<div class="row justify-content-center my-5">
+		<div class="col col-md-6">
+			<div class="card card-body">
+				<h5 class=" mb-4">{{ _("Delete %s") % file.filename }}</h5>
+
+				<p>
+					{{Â _("Do you really want to delete %(filename)s in %(path)s?") % { "filename" : file.filename, "path" : file.path } }}
+				</p>
+
+				<form action="" method="POST">
+					{% raw xsrf_form_html() %}
+
+					<button type="submit" class="btn btn-primary btn-block">
+						{{ _("Delete") }}
+					</button>
+				</form>
+			</div>
+		</div>
+	</div>
+{% end block %}
diff --git a/src/templates/wiki/files/detail.html b/src/templates/wiki/files/detail.html
index c4fe5ea0..a6773098 100644
--- a/src/templates/wiki/files/detail.html
+++ b/src/templates/wiki/files/detail.html
@@ -72,6 +72,12 @@
 				{% end %}
 			</dl>
 
+			<h6>{{Â _("Delete") }}</h6>
+
+			<a class="btn btn-danger btn-block mb-5" href="{{ file.url }}/_delete">
+				{{ _("Delete") }}
+			</a>
+
 			<h6>{{Â _("Upload Newer Revision") }}</h6>
 
 			<form method="POST" action="/actions/upload" enctype="multipart/form-data">
diff --git a/src/web/__init__.py b/src/web/__init__.py
index 2a1b96f0..8343b86d 100644
--- a/src/web/__init__.py
+++ b/src/web/__init__.py
@@ -290,6 +290,7 @@ class Application(tornado.web.Application):
 			authentication_handlers + [
 
 			# Actions
+			(r"((?:[A-Za-z0-9\-_\/]+)?(?:.*)\.(?:\w+))/_delete", wiki.ActionDeleteHandler),
 			(r"([A-Za-z0-9\-_\/]+)?/_edit", wiki.ActionEditHandler),
 			(r"([A-Za-z0-9\-_\/]+)?/_render", wiki.ActionRenderHandler),
 			(r"([A-Za-z0-9\-_\/]+)?/_(watch|unwatch)", wiki.ActionWatchHandler),
diff --git a/src/web/wiki.py b/src/web/wiki.py
index 6d0600f0..e5759e37 100644
--- a/src/web/wiki.py
+++ b/src/web/wiki.py
@@ -94,6 +94,39 @@ class ActionUploadHandler(auth.CacheMixin, base.BaseHandler):
 		self.redirect("%s/_files" % path)
 
 
+class ActionDeleteHandler(auth.CacheMixin, base.BaseHandler):
+	@tornado.web.authenticated
+	def get(self, path):
+		# Check permissions
+		if not self.backend.wiki.check_acl(path, self.current_user):
+			raise tornado.web.HTTPError(403, "Access to %s not allowed for %s" % (path, self.current_user))
+
+		# Fetch the file
+		file = self.backend.wiki.get_file_by_path(path)
+		if not file:
+			raise tornado.web.HTTPError(404, "Could not find %s" % path)
+
+		self.render("wiki/confirm-delete.html", file=file)
+
+	@tornado.web.authenticated
+	@base.ratelimit(minutes=60, requests=24)
+	def post(self, path):
+		# Check permissions
+		if not self.backend.wiki.check_acl(path, self.current_user):
+			raise tornado.web.HTTPError(403, "Access to %s not allowed for %s" % (path, self.current_user))
+
+		# Fetch the file
+		file = self.backend.wiki.get_file_by_path(path)
+		if not file:
+			raise tornado.web.HTTPError(404, "Could not find %s" % path)
+
+		with self.db.transaction():
+			file.delete(self.current_user)
+
+		self.redirect("%s/_files" % file.path)
+
+
+
 class ActionWatchHandler(auth.CacheMixin, base.BaseHandler):
 	@tornado.web.authenticated
 	@base.ratelimit(minutes=60, requests=180)
-- 
2.39.2

